On Jul 25, 2023, at 00:19, Tobias Brunner wrote:
>
>
>
> That's exactly what I'm proposing. Make it *mandatory* that the first
> rekeying of the Child SA that's created with IKE_AUTH is a regular one.
> Because if that's not the case, it might be impossible for a responder
> to deduce what
Dear ipsec WG,
When working on a VPN implementation we found that it's very difficult to
rely on IPv6 ESP packets because many networks drop them, so even if IKE
negotiation succeeds, the data plane might be broken. Worse, this can
happen on migrate, blackholing an existing session until the
Hi Tero,
>> It already states in section 3: "Non-optimized, regular rekey requests
>> MUST always be accepted."
> ...
>> So you're saying some configs, that are valid for regular IKEv2, will
>> just not work with this extension? And we'll only know once there is
>
> Combining those two, I